Two critical vulnerabilities could lead to remote code execution

Threat ID:CC-4515

Threat Severity:Medium

Published:25 June 2024 1:48 PM

Summary

Affected platforms

The following platforms are known to be affected:

Versions: all prior to 11.1.3.0

Avaya IP Office

Threat details

Introduction

Avaya has released an advisory to address two vulnerabilities in IP Office, a unified communications platform that allows for call recording, tracking, and reporting.

CVE-2024-4196 - CVSSv3 score of 10.0. This improper input validation vulnerability could allow an attacker to perform remote command or code execution (RCE) via a specially crafted web request to the Web Control component.
CVE-2024-4197 - CVSSv3 score of 9.9. This unrestricted file upload vulnerability could allow an attacker to perform remote command or code execution via the One-X component.

Remediation advice

Affected organisations are encouraged to review Avaya IP Office Vulnerability advisory ASA-2024-001 and apply the relevant security update.

Definitive source of threat updates

https://support.avaya.com/css/public/documents/101090768

CVE Vulnerabilities

StatusPublished

CVE-2024-4196An improper input validation vulnerability was discovered in Avaya IP Office that could allow remote command or code execution via a specially crafted web request to the Web Control component. Affected versions include all versions prior to 11.1.3.1.

StatusPublished

CVE-2024-4197An unrestricted file upload vulnerability in Avaya IP Office was discovered that could allow remote command or code execution via the One-X component. Affected versions include all versions prior to 11.1.3.1.

Last edited: 25 June 2024 1:48 pm